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As state policymakers implement statewide longitudinal data systems that collect, store, link and share student-level data, it is critical that they understand applicable privacy and data security stan- 
dards and laws designed to ensure the privacy, security and confidentiality of that data. To help state policymakers navigate this complex legal landscape, the Data Quality Campaign has partnered 
with Education Counsel and the Information Management Practice of Nelson Mullins Riley & Scarborough to develop Using Data to Improve Education: A Legal Reference Guide to Protecting Student 
Privacy and Data Security. This guide provides summaries of multiple federal and state laws that have implications for statewide longitudinal data systems. The full guide can be accessed in multiple 
ways: by federal law, state law by issue and state law by state. Visit www.dataqualitycampaign.org/privacv guide . 

The information provided here is intended to serve as a good starting place for policymakers. For more detailed information about any of the specific state laws, please contact Jon A. Neiditz, Partner, Nelson Mullins Riley & Scarborough LLP at 
ion.neiditz@nelsonmullins.com or 404.322.6139. 


State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 

Alabama 












Alaska 

Alaska Stat. § 
45.48.010 et seq. 
6/14/08 

Unauthorized acquisition, 
or reasonable belief of 
unauthorized acquisition, 
that compromises securi- 
ty, confidentiality or inte- 
grity of Personal Informa- 
tion ("PI") unless no rea- 
sonable likelihood of 
harm (must retain docu- 
mentation for 5 years); 
"acquisition" defined 

Paper & 
electronic 

Modified CA - 
account number, 
credit card or 
debit card num- 
ber alone unless 
can only be ac- 
cessed with a 
personal code; 
also passwords, 
PINs or access 
codes for financial 
accounts 

Encryption 
(unless en- 
cryption key is 
also disclosed) 
or redaction 

Yes, applies to 
governmental 
agencies. 

Yes, provisions relating to use, 
display and communication of 
Social Security numbers, provi- 
sions relating to destruction and 
disposal of paper documents 
with PI and implementation of 
policies and procedures relating 
to destruction of electronic 
media 

(effective 7/1/09) 

Most expedient manner 
possible and without 
unreasonable delay 
unless after reasonable 
investigation and writ- 
ten notice to Attorney 
General determine no 
reasonable likelihood of 
harm (must retain do- 
cumentation for 5 
years) 

Yes 

Only for 
breach of 
pre- 
breach 
measures 
relating to 
disposal of 
records 

Yes, both 

Attorney Gen- 
eral if no noti- 
fication pro- 
vided; Con- 
sumer Report- 
ing Agencies if 
notifying 
1,000+ AK 
residents un- 
less subject to 
GLBA 


1 This analysis assumes that a law that states it applies to "a person who conducts business in this state" without specifically defining person to include state or governmental agencies does not apply to such agencies. 

*"CA” = California's initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver's license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." Ca. Civ. Code § 1 798.82(e). 
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State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 

Arkansas 

Ark. Code § 4-110- 
101 et sea. 
3/31/05 

Unauthorized acquisition 
of computerized data 
that compromises securi- 
ty, confidentiality or inte- 
grity of PI unless no rea- 
sonable likelihood of 
harm 

Electronic 

CA plus medical 
information if not 
encrypted or re- 
dacted 

Encryption or 
redaction 

No 

Yes, security procedures and all 
reasonable steps to destroy by 
shredding, erasing or otherwise 
modifying PI to make unreada- 
ble or undecipherable 

Following discovery or 
notification of breach and 
most expedient time and 
manner possible and 
without unreasonable 
delay unless no reasonable 
likelihood of harm 

Yes 

No 

Yes, both 

No 

California 

Cal. Civ. Code § 
1798.80 et sea. & 
1798.29 (gov't agencies) 
7/1/03 & 1/1/07 

Unauthorized acquisition 
of computerized data 
that compromises secu- 
rity, confidentiality or 
integrity of PI 

Electronic 

CA plus medical & 
health insurance 
information (re- 
vised) 

Encryption 

Yes 

Yes, all reasonable steps to de- 
stroy by shredding, erasing or 
otherwise modifying PI to make 
unreadable. Also, reasonable 
security procedures. 

Following discovery or 
notification of breach and 
most expedient time and 
manner possible and 
without unreasonable 
delay 

No 

Yes 

Yes, both 

No 

Colorado 

Col. Rev. Stat. § 6-1- 

716 

9/1/06 

6-1-713 

8/4/2004 

Unauthorized acquisi- 
tion of computerized 
data that compromises 
security, confidentiality 
or integrity of Pi unless 
investigation finds mi- 
suse of PI has not oc- 
curred or will not rea- 
sonably likely occur 

Electronic 

CA plus redacted 
or secured by 
other method to 
make unreadable 
or unusable 

Encryption, 
redaction or 
secured by 
other method 
to make un- 
readable or 
unusable 

If entity subject 
to guidelines of 
primary or func- 
tional state or 
federal regula- 
tor 

Each public and private entity in 
the state that uses documents 
during the course of business that 
contain personal identifying in- 
formation shall develop a policy 
for the destruction or proper 
disposal of paper documents 
containing personal identifying 
information. "Personal identifying 
information" means a SSN, per- 
sonal ID #, password, pass code, 
an official state or gov't issued 
driver's license or ID #, a gov't 
passport #, biometric data, an 
employer, student or military ID # 
or a financial transaction device. 
Public entities managing records 
in part 1 of Art. 80 of title 24 of 
the Colo. Rev. States shall be 
deemed to have complied with 
this provision. 

Most expedient time 
and manner possible 
and without unreason- 
able delay unless inves- 
tigation finds misuse of 
PI has not occurred or 
will not reasonably 
likely occur 

Yes 

No 

Yes, both 

Consumer 
Reporting 
Agencies if 
notifying 
1,000+ CO 
residents un- 
less subject to 
GLBA 


*"CA" = California's initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver's license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." Ca. Civ. Code § 1 798.82(e). 
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State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 

Connecticut 

Conn. Gen. Stat. 
36A-701(b) 

1/1/06 

Conn. Gen. Stat. § 
42-471 
10/1/08 

Unauthorized access to 
or acquisition of elec- 
tronic files, media, data- 
bases or computerized 
data; no breach if, after 
an appropriate investiga- 
tion and consultation 
with relevant federal, 
state and local agencies 
responsible for law en- 
forcement, reasonably 
determine that harm will 
not likely result from 
breach. 

Electronic 

CA 

Encryption or 
secured by 
other method 
to make un- 
readable or 
unusable 

No 

(effective 10/1/08) If possess PI, 
must safeguard the data, com- 
puter files and documents with 
PI from misuse by third parties, 
and destroy, erase or make 
unreadable such data, comput- 
er files and documents prior to 
disposal; also must publicly 
display privacy protection policy 
if collect Social Security num- 
bers 

Without unreasonable 
delay unless if, after an 
appropriate investiga- 
tion and consultation 
with relevant federal, 
state and local agencies 
responsible for law 
enforcement, the per- 
son reasonably deter- 
mines that harm will 
not likely result from 
breach 

Yes 

No 

Yes, both 

No 

Delaware 

De. Code tit. 6, § 
12B-101 et sea. 
6/28/05 

Unauthorized acquisition 
of computerized data 
that compromises securi- 
ty, confidentiality or 
integrity of PI unless 
investigation finds mi- 
suse of PI has not oc- 
curred or will not rea- 
sonably likely occur 

Electronic 

CA 

Encryption 

Yes, applies to 
governments, 
governmental 
subdivisions, 
agencies, and 
instrumentalities. 

No 

Most expedient time 
and manner possible 
and without unreason- 
able delay unless inves- 
tigation finds misuse of 
PI has not occurred or 
will not reasonably 
likely occur. 

Yes 

No 

Yes, both 

No 

Florida 

Fla. Stat. § 817.5681 
7/1/05 

Unlawful & unauthorized 
acquisition of compute- 
rized data that materially 
compromises security, 
confidentiality or integrity 
of PI unless investigation 
finds misuse of PI has not 
occurred or will not rea- 
sonably likely occur (must 
retain documentation for 
5 years) 

Electronic 

CA 

Encryption 

Yes, applies to 
gov't agencies or 
subdivisions ex- 
cept that fines do 
not apply to gov't 
entities, but third 
party engaged by 
such entity to 
perform gov't 
services would be 
liable for such 
fines. 

No 

Without unreasonable 
delay, but no later than 
45 days unless investi- 
gation finds misuse of PI 
has not occurred or will 
not reasonably likely 
occur (must retain do- 
cumentation for 5 
years) 

Yes (gov't 
agencies 
exempt 
from fines) 

No 

Yes, both 

Consumer 
Reporting 
Agencies if 
notifying 
1,000+ FL 
residents 


*"CA" = California's initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver's license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." Ca. Civ. Code § 1 798.82(e). 
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State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 

Georgia 

Ga. Code §10-1-910 
et sea. 

5/5/05 

(Applies only to 
"information bro- 
kers" and gover- 
mental agencies) 

Unauthorized acquisi- 
tion of computerized 
data maintained by an 
information broker or 
governmental data col- 
lector that compromises 
security, confidentiality 
or integrity of PI 

Electronic 

Modified CA - 
account number, 
credit card or debit 
card number alone 
unless can only be 
accessed with ad- 
ditional info; also 
passwords, per- 
sonal ID #s or 
access codes; plus 
information suffi- 
cient to perform or 
attempt to per- 
form identity theft 

Encryption or 
redaction 

Yes, applies to 
any state or 
local agency or 
subdivision the- 
reof including 
any dept., bu- 
reau, authority, 
public university 
or college, 
academy, com- 
mission, or oth- 
er gov't entity 2 

Ga. Code § 10-15-2, eff. 2002, A 
business may not discard a record 
containing PI 3 unless (1) shred cus- 
tomer's record before discarding; 
(2) erase the PI contained in the 
customer's record before discarding 
the record; (3) modify customer's 
record to make the PI unreadable 
before discarding; or (4) take ac- 
tions that it reasonably believes will 
ensure that no unauthorized person 
will have access to PI contained in 
customer's record for the period 
between the record's disposal and 
the record's destruction 

Most expedient time 
and manner possible 
and without unreason- 
able delay 

No 

No 

Yes, both 

Consumer 
Reporting 
Agencies if 
notifying 
10,000+ GA 
residents 

Hawaii 

Hawaii Rev. Stat. § 

487N-2 

1/1/07 

Haw. Rev. Stat. § 

487R-2 

4/17/2008 

Unauthorized access to 
and acquisition of 
records or data where 
illegal use has occurred, 
is reasonably likely to 
occur and creates risk of 
harm 

Any form 

CA 

Encryption or 
redaction 
(unless confi- 
dential 

process or key 
is also dis- 
closed) 

Yes, applies to 
gov't agencies, 
which include 
any depart- 
ment, division, 
board, commis- 
sion, public 
corporation, or 
other agency or 
instrumentality 
of the State or 
of any county. 

Yes, extensive disposal meas- 
ures reauired in Haw. Stat. § 
487R-2, but excludes entities 
subject to GLBA, HIPAA or FCRA 

Following discovery or 
notification and without 
unreasonable delay 

Yes (but 
govern- 
ment agen- 
cies ex- 
empt) 

Yes (but 
not 

against 

govern- 

ment 

agencies) 

Yes, both 

If notifying 
1,000+ HI 
residents, 
Hawaii Office 
of Consumer 
Protection 
and Consumer 
Reporting 
Agencies 


2 Georgia's security breach law does not apply to any governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes or for purposes of providing public access to court records or to real or personal property information. 

3 Ga. Code §10-15-1(91 . "Personal information” means: (A) Personally identifiable data about a customer's medical condition, if the data are not generally considered to be public knowledge; (B) Personally identifiable data which contain a customer's account or identification number, account balance, balance 
owing, credit balance, or credit limit, if the data relate to a customer's account or transaction with a business;(C) Personally identifiable data provided by a customer to a business upon opening an account or applying for a loan or credit; or (D) Personally identifiable data about a customer's federal, state, or 
local income tax return. (10)(A) "Personally identifiable" means capable of being associated with a particular customer through one or more identifiers, including, but not limited to, a customer's fingerprint, photograph, or computerized image, social security number, passport number, driver identification 
number, personal identification card number, date of birth, medical information, or disability information. (B) A customer's name, address, and telephone number shall not be considered personally identifiable data unless one or more of them are used in conjunction with one or more of the identifiers listed in 
subparagraph (A) of this paragraph. 

*"CA" = California's initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver’s license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.” Ca. Civ. Code § 1 798.82(e). 
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State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 

Idaho 

Id. Code §§28-51- 
104 to 28-51-107 
7/1/06, 

H.B. 566, amending 
§ 28-51-05, eff. 
3/31/10 

Illegal acquisition of 
computerized data that 
materially compromises 
security, confidentiality 
or integrity of PI unless 
investigation finds mi- 
suse of PI has not oc- 
curred or will not rea- 
sonably likely occur 

Electronic 

CA 

Encryption 

Yes, applies to 
state and local 
agencies. 

No 

Most expedient time 
possible and without 
unreasonable delay 
unless investigation 
finds misuse of PI has 
not occurred or will not 
reasonably likely occur 

Yes 

No 

Yes, both 

Eff. 3/31/10, 
state agencies 
must notify 
AG within 24 
hours of dis- 
covery of 
breach; must 
also notify 
chief informa- 
tion officer of 
dept, of ad- 
ministration 

Illinois 

815 III. Como. Stat. 
530/1 et sea. 
1/1/06 

20 III. Como. Stat. 
450/ 1 et sea., 
7/23/03 

Unauthorized acquisi- 
tion of computerized 
data that compromises 
security, confidentiality 
or integrity of PI 

Electronic 

CA 

Encryption or 
redaction 

Yes, applies to 
government 
agencies, public 
and private 
universities 

Yes, extensive disposal proce- 
dures required for data stored 
on State-owned electronic data 
processing equipment. Applies 
to the Department of Central 
Mgt Services or an authorized 
agency (other than public uni- 
versities or their governing 
boards). However, the govern- 
ing board of each public univer- 
sity must implement and admi- 
nister the provisions of this Act 
with respect to State-owned 
electronic data processing 
equipment utilized by the uni- 
versity. 

Most expedient time 
possible and without 
unreasonable delay 

Violation 
constitutes 
unlawful 
practice 
under Con- 
sumer 
Fraud and 
Deceptive 
Business 
Practices 
Act 

Yes 

Yes, both 

No 


*"CA" = California's initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver's license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." Ca. Civ. Code § 1 798.82(e). 
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State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 

Indiana 

Ind. Code § 24-4.9 
Ind. Code § 24-4-14 
7/1/06 

Unauthorized acquisi- 
tion of computerized 
data that compromises 
security, confidentiality 
or integrity of PI if the 
unauthorized acquisi- 
tion has resulted in or 
could result in identity 
deception (as defined in 
1C 35-43-5-3.5), identity 
theft, or fraud affecting 
the IN resident 

Electronic 
and non- 
compute- 
rized 

CA + financial 
account number, 
etc. instead of 
account number, 
etc. 

Encryption or 
redaction 
(unless confi- 
dential 

process or key 
is also dis- 
closed) 

Yes, applies to 
state and local 
agencies 

Yes, when disposing of unen- 
crypted, unredacted PI, must 
shred, incinerate, mutilate, 
erase, or otherwise render PI 
illegible or unusable - failing to 
is Class C infraction, if for 100+ 
customers = Class A infraction 
(exempts certain gov't agencies 
and those subject to FCRA, Hl- 
PAA, Patriot Act, Financial Mod- 
ern. Act & Exec Order. 13224) 

Without unreasonable 
delay if the unautho- 
rized acquisition has 
resulted in or could 
result in identity decep- 
tion (as defined in 1C 35- 
43-5-3.5), identity theft, 
or fraud affecting the IN 
resident 

Yes 

No 

Yes, both 

Consumer 
Reporting 
Agencies if 
notifying 
1,000+ IN 
residents 

Iowa 

Iowa Code §§ 
715C.1 & 715C.2 
7/1/08 

Unauthorized acquisi- 
tion of PI maintained in 
computerized form that 
compromises security, 
confidentiality or integr- 
ity of PI unless deter- 
mine no reasonable 
likelihood of financial 
harm (maintain docu- 
mentation for 5 years) 

Compute- 

rized 

CA + financial 
account number, 
etc. instead of 
account number, 
etc., unique elec- 
tronic identifier or 
routing code with 
access code per- 
mitting access or 
unique biometric 
data 

Encryption, 
redaction or 
altered by any 
method or 
technology so 
name or data 
elements are 
unreadable 

Yes, applies to 
government, 
gov't subdivi- 
sion, agency, or 
instrument- 
tality. 

No 

Most expeditious man- 
ner possible & without 
unreasonable delay 
unless determine no 
reasonable likelihood of 
financial harm (main- 
tain documentation for 
5 years) 

Yes, unlaw- 
ful practice 
pursuant to 
§ 714.16 
(Consumer 
FraulOds) 

No 

Yes, both 

No 


*"CA" = California's initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver's license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." Ca. Civ. Code § 1 798.82(e). 
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State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 

Kansas 

Kansas Stat. 50- 
7a01, 50-7a02, 50- 
7a03 
7/1/06 

Unauthorized access to 
and acquisition of com- 
puterized data that 
compromises security, 
confidentiality or integr- 
ity of PI and causes or is 
reasonably believed to 
cause ID theft to a con- 
sumer 

Electronic 

CA+ financial 

account number, 
credit or debit 
card number, 
alone or in com- 
bination with any 
required security 
code, access code 
or password that 
would permit 
access to a con- 
sumer's financial 
account. 

Encryption or 
redaction 

Yes, applies to 
government or 
governmental 
subdivision or 
agency. 

Yes, all reasonable steps to de- 
stroy by shredding, erasing or 
otherwise modifying PI to make 
unreadable 

Most expedient time 
possible and without 
unreasonable delay 
unless investigation 
finds misuse of PI has 
not occurred or will not 
reasonably likely occur 

Yes 

No 

Yes, both 

Consumer 
Reporting 
Agencies if 
notifying 
1,000+ Kan. 
residents 

Kentucky 

MMM 


MM$ 

MMS 

MM 




M$ 

Mm 

Mm 

Louisiana 

La. Rev. Stat. § 
51:3071 et sea. 
1/1/06 

Compromise of security, 
confidentiality or integr- 
ity of computerized data 
that results in, or rea- 
sonably could result in, 
unauthorized acquisi- 
tion of and access to PI 
unless reasonable inves- 
tigation finds no rea- 
sonable likelihood of 
harm to customers 

Electronic 

CA plus redacted 

Encryption or 
redaction 

Yes, applies to a 
political subdivi- 
sion of the 
state, and any 
officer, agency, 
board, commis- 
sion, depart- 
ment or similar 
body of the 
state or any 
political subdivi- 
sion of the 
state. 

No 

Most expedient time 
possible and without 
unreasonable delay 
unless reasonable in- 
vestigation finds no 
reasonable likelihood of 
harm to customers 

No 

Yes 

Yes, both 

No 


*"CA" = California's initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver's license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." Ca. Civ. Code § 1 798.82(e). 
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State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 

Maine 

Me. Rev. Stat. tit. 10 
§§ 1347 et sea. 
1/31/06 (rev'd 
1/31/07), amended 
bv Public Law, Chao. 
161 (eff. 9/12/09) 

Unauthorized acquisi- 
tion of computerized 
data that compromises 
security, confidentiality 
or integrity of PI unless 
reasonable & prompt 
investigation finds no 
misuse or reasonable 
likelihood of misuse of 
PI 

Electronic 

SSN, Driver's li- 
cense or state ID 
#, account #, cre- 
dit card # or debit 
card # if could be 
used w/o access 
code or password, 
password, PINs or 
any of the above 
if sufficient to 
permit ID theft 

Encryption or 
redaction 

Yes, applies to 
gov't agencies, 
the University of 
Maine System, 
the Maine 
Community 
College System, 
Maine Maritime 
Academy and 
private colleges 
and universities. 

No 

As expediently as possible 
and without unreasonable 
delay unless reasonable & 
prompt investigation finds 
no misuse or reasonable 
likelihood of misuse of PI; 
eff. 9/12/09, notice may 
not be delayed by more 
than 7 business days after 
a law enforcement agency 
determines that notifica- 
tion will not compromise a 
criminal investigation. 

Yes 

No 

Yes, both 

Consumer 
Reporting 
Agencies if 
notifying 
1,000+ per- 
sons. Either 
state regula- 
tor or attor- 
ney general if 
any notice 
made 

Maryland 

Md. Code, Com. Law 

Unauthorized acquisi- 
tion of computerized 
data that compromises 
security, confidentiality 
or integrity of PI unless 
reasonable & prompt 
investigation finds no 
misuse or reasonable 
likelihood of misuse of 
PI (must retain docu- 
mentation for 3 years ) 

Electronic 

CA, financial ac- 
count #, etc. + an 
individual taxpay- 
er identification 
number 

Encryption, 
redaction or 
otherwise 
protected by 
another me- 
thod that 
renders it 
unreadable or 
unusable 

No 

Reasonable steps to protect PI 
during destruction; maintain 
reasonable security procedures 
& practices; must contractually 
require 3 rd party service provid- 
ers to maintain reasonable se- 
curity procedures & practices 
(3 rd party contract requirement 
effective 1/1/09) 

As soon as reasonably 
practicable unless rea- 
sonable & prompt in- 
vestigation finds no 
misuse or reasonable 
likelihood of misuse of 
PI (must retain docu- 
mentation for 3 years if 
no notification pro- 
vided) 

Yes, unfair 
or decep- 
tive trade 
practice 
under Title 
13 of Ar- 
ticle 14, 
subject to 
its enforce- 
ment and 
penalty 
provisions 

Yes 

Yes, both plus if 
individual con- 
sented to public 
dissemination or 
disseminated in 
accordance with 
HIPAA 

Must notify 
Office of At- 
torney General 
prior to provid- 
ing notification 
to individuals; 
if notifying 
1,000+ per- 
sons, must 
notify consum- 
er reporting 
agencies 

§§ 14-3501 - 14- 
3508 
1/1/08 





*"CA" = California's initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver's license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." Ca. Civ. Code § 1 798.82(e). 
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State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 

Massa- 

chusetts 

Mass. Gen. Laws ch. 
93H, §letal 
2/3/08 

201 CMR 17.00- 

17.04 

3/1/2010 

Unauthorized acquisi- 
tion of data or electron- 
ic data that compromis- 
es security, confidential- 
ity or integrity of PI and 
creates a substantial 
risk of ID theft or fraud 

Electronic 
and any 
other ma- 
terial upon 
which writ- 
ten, drawn, 
spoken, 
visual or 
electro- 
magnetic 
informa- 
tion or 
images are 
recorded 

CA + financial 
account number, 
etc., but without 
encryption; also, 
with or without 
security code, 
access, code, PIN 
or password 

Encryption 
(unless confi- 
dential 

process or key 
is also dis- 
closed) 

Yes, applies to 
any agency, 
executive office, 
department, 
board, commis- 
sion, bureau, 
division or au- 
thority of the 
commonwealth, 
or any of its 
branches, or of 
any political 
subdivision the- 
reof. 

Yes, dispose of PI by redacting, 
shredding, pulverizing or burning 
to make unreadable or unable to 
De reconstructed (Mass. Gen. Laws 
Ch. 931, § 2); must develop, imple- 
ment & maintain information 
security program consistent with 
industry standards that contains 
administrative, technical & physical 
safeguards to ensure security & 
confidentiality of records with PI 
(specific components of program 
described as well) (effective 
3/1/10, 201 CMR 17.03); must 
implement computer system 
security requirements including 
encryption of all stored PI and all 
wireless transmissions of PI where 
technically feasible (effective 
3/1/10, 201 CMR 17.04) 

As soon as practicable 
and without unreason- 
able delay when know 
or have reason to know 
of breach or PI has been 
acquired or used by 
unauthorized person or 
used for an unautho- 
rized purpose; must 
document responsive 
actions taken in connec- 
tion with any incident 
involving a security 
breach, including any 
changes in business 
practices (effective 
3/1/10, 201 CMR 17.03) 

Yes 

No 

Yes, both 

Attorney Gen- 
eral, director 
of office of 
consumer 
affairs and 
business regu- 
lation and 
consumer 
reporting 
agencies iden- 
tified by direc- 
tor 

Michigan 

Mich. Como. Laws, 
§445.61 et sea. 
6/29/07 

Unauthorized acquisi- 
tion of or access to data 
that compromises secu- 
rity or confidentiality of 
PI maintained as part of 
a database of PI regard- 
ing multiple individuals; 
no breach if it has not or 
will not likely cause 
substantial loss or injury 
or result in identity theft 

Electronic 

CA+ demand de- 
posit or other 
financial account 
number, etc. in- 
stead of account 
number 

Encryption or 
redaction 
(unless confi- 
dential 

process or key 
is also dis- 
closed) 

Yes, applies to 
any depart- 
ment, board, 
commission, 
office, agency, 
authority, or 
other unit of 
state govern- 
ment and in- 
cludes an insti- 
tution of higher 
education. 

Yes, destroying by shredding, 
erasing or otherwise modifying 
PI to make unreadable if no 
longer needed 

Without unreasonable 
delay after discovery or 
notice unless breach 
has not or will not likely 
cause substantial loss or 
injury or result in identi- 
ty theft 

Yes 

No 

Yes, both 

Consumer 
Reporting 
Agencies if 
notifying 
1,000+ per- 
sons unless 
subject to 
GLBA 


*"CA" = California's initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver's license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." Ca. Civ. Code § 1 798.82(e). 
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State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 

Minnesota 

Minn. Stat. § 
325E.61 
1/1/06 

Unauthorized acquisi- 
tion of computerized 
data that compromises 
security, confidentiality 
or integrity of PI 

Electronic 

CA plus other 
method that 
makes data un- 
readable or unus- 
able 

Encryption or 
other method 
(unless key is 
also disclosed) 

No 

No 

Most expedient time 
possible and without 
unreasonable delay 

Yes 

No 

Yes, both 

Consumer 
Reporting 
Agencies if 
notifying 500+ 
within 48 hours 

Mississippi 

Miss. HB 583 
7/1/2011 

Unauthorized acquisi- 
tion of electronic files, 
media, databases or 
computerized data. 
Notification not re- 
quired if, after an ap- 
propriate investigation, 
reasonably determine 
that the breach will not 
likely result in harm to 
affected individuals 

Electronic 

CA 

Encryption or 
secured by 
any other 
method or 
technology 
that renders 
the personal 
information 
unreadable or 
unusable 

No 

No 

Without unreasonable 
delay, subject to law 
enforcement exception 
and completion of investi- 
gation to determine na- 
ture and scope of incident, 
to identify affected indi- 
viduals, or to restore 
reasonable integrity of the 
data system. Notification 
not required if, after an 
appropriate investigation, 
reasonably determine that 
the breach will not likely 
result in harm to affected 
individuals. 

Violation 
considered 
an unfair 
trade prac- 
tice. 

No 

Yes, both 

No 


*"CA" = California's initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver's license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." Ca. Civ. Code § 1 798.82(e). 
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State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 

Missouri 

Mo. Rev. Stat. § 

407.1500 

8/28/09 

Unauthorized access to 
and unauthorized acqui- 
sition of PI maintained 
in computerized form 
that compromises the 
security, confidentiality, 
or integrity of the PI. 

Electronic 

CA + Unique elec- 
tronic identifier or 
routing code, in 
combination with 
any required se- 
curity code, 
access code, or 
password that 
would permit 
access to an indi- 
vidual's financial 
account; medical 
information 4 or 
health insurance 
information 5 . 

Encryption, 
redaction, or 
otherwise 
altered by any 
method or 
technology in 
such a manner 
that the name 
or data ele- 
ments are 
unreadable or 
unusable 

Yes, applies to 
government, 
governmental 
subdivision, 
governmental 
agency and 
governmental 
instrumentality 

No 

Made without unreason- 
able delay; notification 
not required if, after an 
appropriate investigation 
or after consultation with 
relevant federal, state, or 
local agencies, determine 
that a risk of identity 
theft or other fraud to 
any consumer is not 
reasonably likely to occur 
as a result of the breach. 
Such a determination 
shall be documented in 
writing and the docu- 
mentation shall be main- 
tained for five years. 

Yes, civil 

No 

Yes, both 

If notifying 
1,000+ MO 
residents, notify, 
without unrea- 
sonable delay, 
the AG's office 
and all consum- 
er reporting 
agencies that 
compile and 
maintain files on 
consumers on a 
nationwide basis 
of the timing, 
distribution, and 
content of the 
notice. 

Montana 

Mont. Code § 30- 
14-1701 et sea. 
3/1/06 

Unauthorized acquisi- 
tion of computerized 
data that compromises 
security, confidentiality 
or integrity of PI and 
causes or is reasonably 
likely to cause loss or 
injury 

Electronic 

CA + tribal identi- 
fication number 

Encryption 

No 

Yes, all reasonable steps to de- 
stroy by shredding, erasing or 
otherwise modifying PI to make 
unreadable where PI defined as 
name, signature, address, or tele- 
phone number, in combination 
with one or more of following: 
passport number, driver's license 
or state ID #, insurance policy #, 
bank account #, credit card or 
debit card #, passwords or per- 
sonal identification #s required to 
obtain access to the individual's 
finances, or any other financial 
information. SSN alone consti- 
tutes PI 

Without unreasonable 
delay 

Yes 

No 

Yes, both 

No 


4 "Medical information", any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional. 

5 "Health insurance information", an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual. 

*"CA" = California's initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver’s license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.” Ca. Civ. Code § 1 798.82(e). 
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State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 

Nebraska 

Neb. Rev Stat 87- 
801, 87-802, 87- 
803, 87-804, 87- 
805, 87-806 and 87- 
807 

7/14/06 

Unauthorized acquisi- 
tion of computerized 
data that compromises 
security, confidentiality 
or integrity of PI unless 
reasonable & prompt 
investigation finds no 
use or likely use of PI for 
unauthorized purpose 

Electronic 

CA plus redacted 
or other method 
that makes data 
unreadable, 
unique electronic 
ID # or routing 
code with code 
and biometric 
data 

Encryption, 
redaction or 
other method 
that makes 
data unreada- 
ble 

Yes, applies to 
government, 
governmental 
subdivision, 
agency and 
instrumentali- 
ties. 

No 

As soon as possible and 
without unreasonable 
delay unless reasonable 
& prompt investigation 
finds no use or likely 
use of PI for unautho- 
rized purpose 

Yes 

No 

Yes, both 

No 

Nevada 

Nev. Rev. Stat. 
603A.010 et sea. 

10/1/05, 1/1/06 or 
10/1/08 (depending 
on provision) 

Nev. Rev. Stat. 
603A.215 
1/1/10 

Unauthorized acquisi- 
tion of computerized 
data that materially 
compromises security, 
confidentiality or integr- 
ity of PI 

Electronic 

CA, but excludes 
last 4 numbers of 
SSN 

Encrypted 

(eff. 10/1/08, 
must encrypt 
all external 
electronic 
trans-missions 
containing PI 
other than 
faxes; eff. 
1/1/10, such 
encryption 
must be a 
standard 
adopted by an 
established 
standards 
setting body; 
this revised 
definition of 
encryption 
does not apply 
to breach 
determina- 
tions.) 

Yes, applies to 
any gov't agency 
and institution 
of higher educa- 
tion. 

Yes, shred, erase or otherwise 
modify PI to make unreadable or 
undecipherable if no longer 
needed. Use reasonable security 
measures and include security 
terms in contracts where PI dis- 
closed unless subject to fed. or 
state law with greater protections. 
Effective 1/1/10, all data collec- 
tors that accept payment cards 
must comply with PCI Data Securi- 
ty Standard; also, all external 
electronic transmissions contain- 
ing PI other than faxes must be 
secured using encryption and 
using an encryption standard 
adopted by an established stan- 
dards setting body (e.g., NIST); 
also, must not transfer a data 
storage device containing PI 
beyond logical or physical controls 
unless using such level of encryp- 
tion. Safe harbor from liability for 
damages if comply with revised 
provision, barring gross negligence 
or int. misconduct. 

Most expedient time 
possible and without 
unreasonable delay 

Yes 

Yes, data 
collector 
can sue 
breacher 

Yes, both 

Consumer 
Reporting 
Agencies if 
notifying 
1,000+ per- 
sons 


*"CA" = California's initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver's license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." Ca. Civ. Code § 1 798.82(e). 
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State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 

New Hamp- 
shire 

N.H. RS 359-019 et 
seq. 

1/1/07, N.H.-RS 
358-A:3 
1/1/07 & 

HB 619 (amending 
ch. 213) 1/1/10 
(PHI-related only) 

Unauthorized acquisi- 
tion of computerized 
data that compromises 
security or confidentiali- 
ty of PI unless promptly 
determine that no mi- 
suse or likely misuse of 
PI 

Electronic 

CA 

Encryption 
(unless key is 
also disclosed) 

Yes, applies to 
any agency, 
authority, 
board, court, 
department, 
division, com- 
mission, institu- 
tion, bureau, or 
other state go- 
vernmental 
entity, or any 
political subdivi- 
sion of the 
state. 

As of 1/1/10, health care provid- 
ers and their business associates 
("BAs") will be obligated to noti- 
fy affected individuals of disclo- 
sures of PHI that are allowed 
under federal law, but are pro- 
hibited under NH law. Under NH 
law, health care providers and 
their BAs must (i) obtain authori- 
zation for the use or disclosure 
of PHI for "marketing" and (ii) 
offer individuals an opt-out op- 
portunity for the use or disclo- 
sure of PHI for fundraising pur- 
poses. In addition, PHI cannot be 
disclosed for marketing (even 
with an authorization) or fun- 
draising by voice mail, unat- 
tended facsimile, or through 
other methods of communica- 
tion that are not secure. 

As soon as possible 
unless promptly deter- 
mine that no misuse or 
likely misuse of PI 

Yes 

Yes 

Yes, both 

Primary regu- 
lator if subject 
to 358-A:3; 
others notify 
attorney gen- 
eral. Consum- 
er Reporting 
Agencies if 
notifying 
1,000+ con- 
sumers unless 
subject to 
GLBA 

New Jersey 

N.J. Stat. 56:8-161- 

163 

1/1/06 

Unauthorized access to 
electronic files, media 
or data with PI that 
compromises security, 
confidentiality or integr- 
ity of PI unless investi- 
gation finds misuse of PI 
is not reasonably possi- 
ble (must retain docu- 
mentation in writing for 
5 years) 

Electronic 

CA plus disso- 
ciated data that, if 
linked, would 
constitute PI if 
link accessed. 

Encrypted or 
other method 
unless that 
renders PI 
unreadable or 
unusable 

Yes, applies to 
"public entities", 
which includes 
the State, any 
county, munici- 
pality, district, 
public authority, 
public agency, 
and any other 
political subdivi- 
sion or public 
body in the State. 

Yes, destroy by shredding, eras- 
ing or otherwise modifying PI to 
make unreadable, undeciphera- 
ble or nonreconstructable. Ad- 
ditional guidelines on SSN in N.J. 

Stat. 56:8-164. 

Most expedient time 
possible and without 
unreasonable delay 
unless investigation 
finds misuse of PI is not 
reasonably possible 
(must retain documen- 
tation in writing for 5 
years) 

No 

No 

Yes, both 

Div. of State 
Police in Dept, 
of Law & Pub- 
lic Safety prior 
to noti- 
fication. Con- 
sumer Report- 
ing Agencies if 
notifying 
1,000+ per- 
sons 

New Mexico 













*"CA" = California’s initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver's license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." Ca. Civ. Code § 1798.82(e). 
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State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 

New York 

N.Y. Bus. Law §899- 
aa 

12/8/05 

Unauthorized acquisi- 
tion of computerized 
data with private infor- 
mation that compro- 
mises security, confi- 
dentiality or integrity of 
private information 
(e.g., stolen laptop, 
signs of downloading / 
copying or fraudulent 
accounts or identity 
theft reports) 

Electronic 

"Personal Infor- 
mation" includes 
name, number, 
personal mark or 
other identifier 
that can identify a 
natural person. 
"Private Informa- 
tion" = CA with PI 
instead of first 
name or first ini- 
tial & last name 

Encryption 
(unless key is 
also disclosed) 

No 

Not in breach law, but in N.Y. Gen. 
Bus. Law § 399-h, which prohibits 
a person from destroying a record 
with personal identifying informa- 
tion ("Pll") unless (1) record is 
shredded before disposal; (2) Pll 
contained in the record is de- 
stroyed; (3) record modified to 
make Pll unreadable; or (4) actions 
consistent with commonly ac- 
cepted industry practices that it 
reasonably believes will ensure 
that no unauthorized person will 
have access to Pll in record are 
taken. 

Most expedient time 
possible and without 
unreasonable delay 

Yes 

No 

Yes, both 

Attorney Gener- 
al, Consumer 
Protection Bd. 
and State Office 
of Cyber Securi- 
ty if any NY 
residents noti- 
fied. Consumer 
Reporting Agen- 
cies if notifying 
5,000+ persons 

North 

Carolina 

N.C. Gen. Stat § 75- 
60 et sea 
12/1/05; 

N.C. Gen. Stat § 132 
1.10 
8/1/06 

NC SB 1017 (eff. 
10/1/09) 

Unauthorized access to 
and acquisition of 
records or data contain- 
ing PI where illegal use 
of the PI has occurred or 
is reasonably likely to 
occur or that creates a 
material risk of harm to 
a consumer. 

Electronic, 
paper or 
otherwise - 
"Records" 

= any ma- 
terial upon 
which writ- 
ten, drawn, 
spoken, 
visual or 
electro- 
magnetic 
informa- 
tion or 
images are 
recorded or 
preserved 
regardless 
of physical 
form or 
characte- 

Person's first 
name or first ini- 
tial and last name 
combined with 
one or more of: 
SSN, driver's li- 
cense # checking 
or savings account 
# or credit card or 
debit card #, PIN, 
digital signature, 
biometric data, 
fingerprint or 
passwords. Also 
electronic ID #, 
email names or 
addresses, par- 
ent's maiden 
name or any oth- 
er #s if permit 
access to financial 

Encryption 
(unless confi- 
dential 

process or key 
is accessed) 
and redaction 

Yes 

Yes, extensive measures re- 
quired in §75-64, but excludes 
entities subject to GLBA, HIPAA 
or FCRA 

Without unreasonable 
delay 

Yes 

Yes, if 
injured as 
a result of 
a violation 

Yes, both 

Consumer Pro- 
tection Division 
of AG's Office 
and Consumer 
Reporting Agen- 
cies if notifying 
1,000+ persons; 

eff. 10/1/09 : 
Must notify the 
Consumer Pro- 
tection Division 
of the AG's 
Office of the 
nature of the 
breach, # of 
consumers 
affected by 
breach, steps 
taken to investi- 
gate the breach, 
steps taken to 
prevent a similar 


*"CA" = California's initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver's license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." Ca. Civ. Code § 1 798.82(e). 
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State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 



ristics 

resources 








breach in the 
future, and 
information 
regarding the 
timing, distribu- 
tion, and con- 
tent of the 
notice. 

North 

Dakota 

N.D. Cent. Code § 
51-30-01 et sea. 
6/1/05 

Unauthorized acquisi- 
tion of computerized 
data giving access to PI 

Electronic 

CA plus DOB, 
mother's maiden 
name, employee 
ID# & digitized or 
electronic signa- 
ture 

Encryption or 
other method 
that renders PI 
unreadable or 
unusable 

No 

No 

Most expedient time 
possible and without 
unreasonable delay 

Yes 

No 

Yes, both 

No 

Ohio 

Ohio Rev. Code § 
1349.19 et sea.. 
1349.191, 1349.192 
& 1347.12 (gov't 
agencies) 

3/30/07 

Unauthorized access to 
and acquisition of com- 
puterized data contain- 
ing PI that causes, rea- 
sonably is believed to 
have caused or reason- 
ably is believed will 
cause material risk of ID 
theft or other fraud 

Electronic 

CA plus redacted 
or other method 
that renders data 
elements unread- 
able 

Encryption, 
redaction or 
other method 
that renders 
data elements 
unreadable 

Yes 

No 

Without unreasonable 
delay, but no later than 
45 days (subject to 
legitimate needs of law 
enforcement) 

Yes 

No 

Yes, both 

Consumer 
Reporting 
Agencies if 
notifying 
1,000+ OH 
residents 

Oklahoma 

Okla. Stat. § 74- 
3113.1, as amended 
by 

§24-161 et sea. 
11/1/08 

Unauthorized access 
and acquisition of com- 
puterized data that 
compromises security or 
confidentiality of PI 
maintained as part of a 
database regarding 
multiple individuals that 
causes or is reasonably 
believed to cause identi- 
ty theft or fraud 

Electronic 

CA plus redacted 

Encryption 
(unless key is 
disclosed) and 
redaction 

Yes, applies to 
governments, 
governmental 
subdivisions, 
agencies, and 
instrumentali- 
ties. 

No 

Without unreasonable 
delay 

Yes 

No 

Yes, both 

No 


*"CA" = California's initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver's license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." Ca. Civ. Code § 1 798.82(e). 
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State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 

Oregon 

Or. Rev. Stat. 
646A.600 et seq. 
10/1/07 (Section 12 
(Security Program) 
10/1/07) 

Unauthorized acquisi- 
tion of computerized 
data that compromises 
security, confidentiality 
or integrity of PI unless 
investigation finds no 
reasonable likelihood of 
harm to OR residents 
(must retain documen- 
tation in writing for 5 
years) 

Electronic 

CA plus financial 
account number, 
passport number 
or other US- 
issued ID No., or 
such information 
sufficient to per- 
mit a person to 
commit identity 
theft 

Encryption 
(unless key is 
disclosed), 
redaction or 
other methods 

Yes, applies to 
public bodies, 
which include 
state govern- 
ment bodies, 
local govern- 
ment bodies 
and special gov- 
ernment bodies. 

Provisions relating to display 
and use of Social Security num- 
bers; must develop, implement 
and maintain reasonable safe- 
guards to protect the security, 
confidentiality and integrity of 
PI, including disposal of PI no 
longer needed by burning, pul- 
verizing, shredding or modifying 
a physical record or destroying 
or erasing electronic media 

Most expeditious time 
possible and without 
unreasonable delay 
unless investigation 
finds no reasonable 
likelihood of harm to 
OR residents (must 
retain documentation in 
writing for 5 years) 

Yes 

No, but if 
the director 
of Dept, of 
Consumer & 
Business 
Services 
may require 
a violator to 
pay com- 
pensation 
to consum- 
ers injured 
by the viola- 
tion upon a 
finding that 
enforce- 
ment of 
consumers' 
rights by 
private civil 
action 
would be so 
burden- 
some or 
expensive 
as to be 
impractical 

Yes, both 

Consumer 
Reporting 
Agencies if 
notifying 
1,000+ OR 
residents 

Penn- 

sylvania 

73 Pa. Cons. Stat. § 

2303 

6/22/06 

Unauthorized access & 
acquisition of compute- 
rized data that mate- 
rially compromises se- 
curity or confidentiality 
of Pi in database and 
causes or could be rea- 
sonably believed to 
cause loss or injury 

Electronic 

CA plus redacted 
and financial ac- 
count number, 
etc. instead of 
account number, 
etc. 

Encryption 
(unless key is 
disclosed) or 
redaction 

Yes, applies to 
state agencies 
and political 
subdivisions. 

No 

Without unreasonable 
delay 

Yes 

No 

Yes, both 

Consumer 
Reporting 
Agencies if 
notifying 
1,000+ per- 
sons 


*"CA" = California's initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver's license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." Ca. Civ. Code § 1 798.82(e). 
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State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 

Rhode Island 

R.l. Gen. Laws § 11- 
49.2-1 et sea. and 6- 
52-2 
3/1/06 

Unauthorized acquisi- 
tion of computerized 
data that compromises 
security, confidentiality 
or integrity of PI; notifi- 
cation required if 
breach poses significant 
risk of identity theft 

Electronic 

CA 

Encryption 

Yes, applies to 
state agencies. 

Yes, reasonable security proce- 
dures by owners and licensees 
as well as recipient if disclose 
unencrypted PI. Also, a business 
shall take reasonable steps to 
destroy or arrange for the de- 
struction of a customer's PI 
within its custody and control 
that is no longer to be retained 
by the business by shredding, 
erasing, or otherwise destroying 
and/or modifying the PI in those 
records to make it unreadable 
or indecipherable through any 
means[,]. 

If breach poses signifi- 
cant risk of identity 
theft, most expedient 
time possible and with- 
out unreasonable delay 

Yes 

No 

Criminal investi- 
gation only 

No 

South Caro- 
lina 

S.C. Code § 39-1-90 
7/1/09 

S.C. Code § 16-13- 
510 

Unauthorized access to 
and acquisition of com- 
puterized data contain- 
ing personal identifying 
information ("Pll") that 
compromises the secu- 
rity, confidentiality, or 
integrity of Pll when 
illegal use has occurred 
or is reasonably likely to 
occur or use of the in- 
formation creates a 
material risk of harm to 
a resident 

Electronic 

CA + other num- 
bers or informa- 
tion which may be 
used to access a 
person's financial 
accounts or num- 
bers or informa- 
tion issued by a 
governmental or 
regulatory entity 
that will uniquely 
identify an indi- 
vidual (personal 
identifying infor- 
mation ("Pll")) 

Encryption, 
redaction, or 
other methods 

Yes, applies to 
any agency, 
department, 
board, commis- 
sion, commit- 
tee, or institu- 
tion of higher 
learning of the 
State or a politi- 
cal subdivision 
of it. 

Yes, rules on disclosure of SSNs 
and when disposing of Pll, must 
modify, by shredding, erasing or 
other means, to make it un- 
readable or undecipherable 

Following discovery or 
notification of breach 
and most expedient 
time and manner possi- 
ble and without unrea- 
sonable delay 

Yes 

Yes 

Yes, both 

Consumer 
Protection 
Division of 
Dept, of Con- 
sumer Affairs 
& ail national 
Consumer 
Reporting 
Agencies if 
notifying 
1,000+ per- 
sons 

South 

Dakota 


nn 

mu 



inmn 

1111111 

m 

m 


1111 


*"CA" = California's initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver's license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." Ca. Civ. Code § 1 798.82(e). 
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State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 

Tennessee 

Tenn. Code § 47-18- 

2107 

7/1/05 

S.B. 2793 3/22/10 

Unauthorized acquisi- 
tion of computerized 
data that materially 
compromises security, 
confidentiality or integr- 
ity of PI 

Electronic 

CA. Eff. 3/22/10, 
not notice- 
triggering when 
TN Independent 
Colleges & Uni- 
versities Ass'n or 
its members are 
req'd by law to 
disclose to TN 
Higher Ed. 
Comm'n confiden- 
tial student data 
or records. 

Encryption 

Yes, applies to 
any agency of 
the state or any 
of its political 
subdivisions. 

No 

Most expedient time 
possible and without 
unreasonable delay 

Yes 

Yes (but 
state 
agencies 
can't sue) 

Yes, both 

Consumer 
Reporting 
Agencies & 
credit bureaus 
if notifying 
1,000+ per- 
sons 

Texas 

Tex. Bus. & Com. 
Code §§ 521.001 et 
seq., eff. 4/1/09, as 
amended bv HB No. 
2004 (eff. 9/1/09) 
(applies to sensitive 
info.) (amended to 
apply to state agen- 
cies along with oth- 
er amend-ments); 

Tex. Bus. & Com. 
Code § 72.001 et 
seq. (4/1/09) (ap- 
plies to personal 
identifying info. 6 ) 

Unauthorized acquisi- 
tion of computerized 
data that compromises 
security, confidentiality 
or integrity of sensitive 
PI; Eff. 9/1/09, "breach 
of system security" will 
also include "data that 
is encrypted if the per- 
son accessing the data 
has the key required to 
decrypt the data." 

Electronic 

"Sensitive Per- 
sonal Informa- 
tion" = CA (also 
has "Personal 
Identifying Infor- 
mation" defini- 
tion). Eff. 9/1/09, 
includes informa- 
tion that identifies 
an individual and 
relates to (i) the 
physical or mental 
health condition; 

(ii) the provision 
of health care; or 

(iii) payment for 
the provision of 

health care. 

Encryption 
(for "Sensitive 
PI"); Eff. 
9/1/09, 
"breach of 
system securi- 
ty" will also 
include "data 
that is en- 
crypted if the 
person access- 
ing the data 
has the key 
required to 
decrypt the 
data." 

Yes 

Yes, a business (including non- 
profit athletic or sports associa- 
tions) must maintain reasonable 
procedures & destroy by shred- 
ding, erasing or otherwise mod- 
ifying PI to make unreadable, or 
undecipherable (exempts "fi- 
nancial institution" as defined 
by 15 USC § 6809) 

As quickly as possible 

Yes 

Yes 

Yes, both 

Consumer 
Reporting 
Agencies if 
notifying 
10,000+ per- 
sons 


6 "Personal identifying information" means an individual's first name or initial and last name in combination with one or more of the following: (A) date of birth; (B) social security number or other government-issued identification number; (C) mother's maiden name; (D) unique biometric data, including the 
individual's fingerprint, voice data, or retina or iris image; (E) unique electronic identification number, address, or routing code; (F) telecommunication access device as defined by Section 32.51 , Penal Code, including debit or credit card information; or (G) financial institution account number or any other 
financial information. 

*"CA" = California's initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver’s license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." Ca. Civ. Code § 1 798.82(e). 
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State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 

Utah 

Utah Code § 13-44- 
101 et sea. 

1/1/07 

Unauthorized acquisi- 
tion of computerized 
data that compromises 
security, confidentiality 
or integrity of PI unless 
reasonable & prompt 
investigation finds no 
misuse or reasonable 
likelihood of misuse of 
PI for ID theft or fraud 
purpose 

Electronic 

CA plus other 
method that 
renders PI un- 
readable or unus- 
able and financial 
account number, 
or credit or debit 
card number plus 
any required se- 
curity code, 
access code, or 
password that 
would permit 
access to the per- 
son's account 

Encryption or 
other method 
that renders PI 
unreadable or 
unusable 

Yes, applies to a 
person who 
owns or licenses 
computerized 
data that in- 
cludes personal 
information 
concerning a 
Utah resident. 

Yes, maintain reasonable pro- 
cedures & destroy by shredding, 
erasing or otherwise modifying 
PI to make indecipherable (ex- 
empts "financial institution" as 
defined by 15 USC § 6809) 

Most expedient time 
possible & without un- 
reasonable delay unless 
reasonable & prompt 
investigation finds no 
misuse or reasonable 
likelihood of misuse of 
PI for ID theft or fraud 
purposes 

Yes 

No 

Yes, both 

No 

Vermont 

VT. Stat. Ann. Tit. 9 
§§ 2430-2445 
1/1/07 

Unauthorized acquisi- 
tion or access of compu- 
terized data that com- 
promises security, con- 
fidentiality or integrity 
of PI unless misuse of PI 
not reasonably possible 
and detailed explana- 
tion provided to AG or 
dept, of banking, insur- 
ance, securities or 
health care admin, if 
licensed by those depts. 
(If later discover misuse, 
must notify consumers.) 

Electronic 

CA plus account 
or card #s if can 
be used alone, 
passwords, PINs 
or access codes 
alone and ex- 
cludes PI that is 
made unreadable 
by being redacted 
or by other me- 
thod; also, finan- 
cial account num- 
ber, etc. instead 
of account #, etc. 

Encryption, 
redaction, or 
other method 
that renders PI 
unreadable 

Yes, applies to 
the state, state 
agencies, politi- 
cal subdivisions 
of the state, 
public and pri- 
vate universi- 
ties. 

Yes, destroy by shredding, eras- 
ing or otherwise modifying PI to 
make unreadable or indeci- 
pherable when no longer 
needed, but excludes entities 
subject to GLBA, HIPAA or FCRA. 
PI = following information that 
identifies, relates to, describes, 
or is capable of being associated 
with a particular individual: his 
or her signature, SSN, physical 
characteristics or description, 
passport #, driver's license or 
state identification card #, in- 
surance policy #, bank account 
#, credit card or debit card #, or 
any other financial information 

Most expedient time 
possible & without un- 
reasonable delay unless 
misuse of PI not rea- 
sonably possible and 
detailed explanation 
provided to Attorney 
General or dept, of 
banking, insurance, 
securities or health care 
admin, if licensed by 
those depts. (If later 
discover misuse, must 
notify consumers.) 

Yes 

No 

Yes, both 

Consumer 
Reporting 
Agencies if 
notifying 
1,000+ per- 
sons (unless 
licensed by 
Title 8 by 
dept, of bank- 
ing, insurance, 
securities or 
health care) 


*"CA" = California's initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver's license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." Ca. Civ. Code § 1 798.82(e). 
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State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 

Virginia 

Va. Code §18.2- 
186.6 
7/1/08 

Va. Code §32.1- 
127.1:05 (added bv 
HB 1039) (applies to 
govern-mental enti- 
ties only) 

1/1/11 

Unauthorized access 
and acquisition of com- 
puterized data that 
compromises security or 
confidentiality of PI 
maintained as part of a 
database regarding 
multiple individuals that 
causes or is reasonably 
believed to cause identi- 
ty theft or other fraud. 

Electronic 

CA plus financial 
account number, 
etc. instead of ac- 
count number, etc. 
"Medical informa- 
tion" (eff. 1/1/11) 
means first name or 
first initial and last 
name in combination 
with and linked to 
any one or more of 
the following data 
elements: (1) Any 
information regard- 
ing an individual's 
medical or mental 
health history, men- 
tal or physical condi- 
tion, or medical 
treatment or diagno- 
sis by a health care 
professional; or (2) 
An individual's 
health insurance 
policy number or 
subscriber identifica- 
tion number, any 
unique identifier 
used by a health 
insurer to identify 
the individual, or any 
information in an 
individual's applica- 
tion and claims 
history, including 
any appeals records. 

Encryption 
(unless key 
acquired) or 
redaction. For 
medical in- 
formation (eff. 
1/1/11), "En- 
crypted" 
means the 
trans- 
formation of 
data through 
the use of an 
algorithmic 
process into a 
form in which 
there is a low 
probability of 
assigning 
meaning 
without the 
use of a confi- 
dential 
process or 
key, or secur- 
ing of informa- 
tion by anoth- 
er method 
that renders 
the data ele- 
ments un- 
readable or 
unusable. 

Yes, applies to 
governments, 
governmental 
subdivisions, 
agencies and 
instrumentali- 
ties. 

No 

Without unreasonable 
delay if breach believed 
to have caused or will 
cause identity theft or 
fraud to any VA resi- 
dent. 

For medical info and 
subject to law enforce- 
ment exception, with- 
out unreasonable delay 
unless delayed to de- 
termine scope of 
breach and restore 
reasonable integrity of 
system. 

Yes. 

For medical 
info, AG 
can bring 
action and 
impose civil 
penalties 
up to 
$150,000 
per breach 
(or a series 
of similar 
breaches of 
a similar 
nature that 
are discov- 
ered in a 
single in- 
vestiga- 
tion). 

Yes (ex- 
cept for 
state- 
chartered 
or li- 
censed 
financial 
institu- 
tions or an 
entity 
regulated 
by the 
State Cor- 
poration 
Com- 
mission's 
Bureau of 
Insurance) 

Yes, both 

Office of the 
Attorney Gen- 
eral for PI and 
medical in- 
formation; 
Consumer 
Reporting 
Agencies if 
notifying 
1,000+ per- 
sons 


*"CA" = California's initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver's license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." Ca. Civ. Code § 1 798.82(e). 
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State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 

Washington 

Wash. Rev. Code § 

19.255.010 

7/24/05 

§ 19.215.020, Wash. 
HB 1149, 

7/1/10 

Unauthorized acquisi- 
tion of computerized 
data that compromises 
security, confidentiality 
or integrity of PI unless 
unlikely to subject cus- 
tomers to a risk of crim- 
inal activity 

Electronic 

CA 

Encryption 

No 

Must take all reasonable steps to 
destroy 7 , or arrange for the 
destruction of, personal financial 
and health information and 
personal identification numbers 
issued by government entities in 
an individual's records within its 
custody or control when the 
entity is disposing of records 
that it will no longer retain. Un- 
der HB 1149, if a processor or 
business fails to take reasonable 
care to guard against unautho- 
rized access to payment card 
account information in its pos- 
session or control, and that fail- 
ure is the cause of the breach, 
the processor or business is liable 
to the relevant financial institu- 
tion for reasonable actual costs 
related to the reissuance of 
payment cards to WA residents. 
Similarly, a vendor will be liable 
to the financial institution for 
these costs to the extent the 
damages were caused by the 
vendor's negligence. A business 
is an entity that processes more 
than 6,000,000 credit card and 
debit card transactions annually, 
and who provides, offers, or sells 

Most expedient time 
possible & without un- 
reasonable delay unless 
unlikely to subject cus- 
tomers to a risk of crim- 
inal activity 

No 

Yes 

Yes, both 

No 


7 Wash. Rev. Code 5 19.215.010 . (2) "Destroy personal information" means shredding, erasing, or otherwise modifying personal information in records to make the personal information unreadable or undecipherable through any reasonable means. (4) "Personal financial" and "health information" mean 
information that is identifiable to an individual and that is commonly used for financial or health care purposes, including account numbers, access codes or passwords, information gathered for account security purposes, credit card numbers, information held for the purpose of account access or transaction 
initiation, or information that relates to medical history or status. (5) "Personal identification number issued by a government entity" means a tax identification number, social security number, driver's license or permit number, state identification card number issued by the department of licensing, or any other 
number or code issued by a government entity for the purpose of personal identification that is protected and is not available to the public under any circumstances. 

*"CA" = California's initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver's license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." Ca. Civ. Code § 1 798.82(e). 
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State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 







goods or services to WA resi- 
dents. A processor is any entity, 
other than a business, that "di- 
rectly processes or transmits 
[payment card] account informa- 
tion for or on behalf of another 
person as part of a payment 
processing service." A vendor is 
any "entity that manufactures 
and sells software or equipment 
that is designed to process, 
transmit, or store [payment 
card] account information or 
that maintains account informa- 
tion that it does not own.” Safe 
harbors granted if account info 
was encrypted at time of breach 
or if entity was in compliance 
with PCI DSS and validated by 
annual security assessment that 
took place no more than 1 year 
prior to breach. 






Washington, 

D.C. 

DC Code Ann. § 28- 

3851-3853 

3/8/07 

Unauthorized acquisi- 
tion of computerized or 
other electronic data, or 
any equipment or de- 
vice storing such data, 
that compromises secu- 
rity, confidentiality or 
integrity of PI 

Electronic 

CA plus phone 
number or address 
in combination 
with other ele- 
ments, also credit 
card or debit card 
#s alone, account # 
or access codes, 
etc. that allow 
access to financial 
or credit account 
(does not use "en- 
crypted”, but ren- 
dered secure) 

Rendered 
secure so as to 
be unusable 

No 

No 

Most expedient time 
possible & without un- 
reasonable delay 

Yes 

No 

Yes, both 

Consumer 
Reporting 
Agencies if 
notifying 
1,000+ per- 
sons unless 
subject to 
GLBA's report- 
ing require- 
ments 


*"CA" = California's initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver's license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." Ca. Civ. Code § 1 798.82(e). 
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State, 

Law & Effective 
Date 

Triggering Event 
(Risk / Harm or 
Access) 

Electron- 
ic Only or 
Paper 
Included? 

“Personal In- 
formation” 
Definition As 
Compared To 
CA Definition* 

Exception 
for Encryp- 
tion or Re- 
daction? 

Applicable to 
State or Gov- 
ernment 
Agencies? 1 

Pre-Breach Measures In- 
cluded in Breach Law? 

Timing of Notifica- 
tion Following De- 
termination of Scope 
Of Breach & Resto- 
ration Of System 
Integrity 

Civil or 
Criminal 
Penalties? 

Private 
Right of 
Action 
Included 
in 

Breach 

Law? 

Criminal In- 
vestigation or 
Publicly 
Available In- 
formation 
Exception? 

Other Par- 
ties to be 
Notified? 
(Excludes 
State Agen- 
cy Obliga- 
tions) 

West 

Virginia 

W. Va.Code§§46A- 

2A-101 - 105 

6/6/08 

Unauthorized access and 
acquisition of compute- 
rized data that compro- 
mises security or confiden- 
tiality of PI maintained as 
part of a database regard- 
ing multiple individuals 
that causes or is reasona- 
bly believed to cause iden- 
tity theft or other fraud 

Electronic 

CA plus financial 
account number 
(instead of ac- 
count number in 
CA) 

Encryption 
(unless key is 
acquired) or 
redaction 

Yes, applies to 
governments, 
governmental 
subdivisions, 
agencies and 
instrumentali- 
ties. 

No 

Without unreasonable 
delay if breach believed 
to have caused or will 
cause identity theft or 
fraud to any WVa resi- 
dent 

Yes 

No 

Yes, both 

Consumer 
Reporting 
Agencies if 
notifying 
1,000+ per- 
sons 

Wisconsin 

Wis. Stat. §134.98 
3/31/06 

Unauthorized acquisi- 
tion of PI unless no ma- 
terial risk of identity 
theft or fraud 

Any form 

CA plus DNA pro- 
file, biometric 
data and excludes 
PI that is redacted 
or made unread- 
able by other 
method; also, 
financial account 
#, etc. instead of 
account #, etc. 

Encryption , 
redaction or 
other method 
that renders PI 
unreadable 

Yes, applies to 
the state and any 
office, depart- 
ment, indepen- 
dent agency, 
authority, institu- 
tion, association, 
society, or other 
body in state 
government 
created or autho- 
rized to be 
created by the 
constitution or 
any law, includ- 
ing the legisla- 
ture and the 
courts. 

No 

Within a reasonable 
time, not to exceed 45 
days, unless no material 
risk of identity theft or 
fraud 

No 

No 

Yes, both 

Consumer 
Reporting 
Agencies if 
notifying 
1,000+ indi- 
viduals 

Wyoming 

Wvo. Stat. Ann. § 
40-12-501 to 509 
7/1/07 

Unauthorized acquisition 
of computerized data 
that materially compro- 
mises security, confiden- 
tiality or integrity of PI 
and causes or reasonably 
believed to cause loss or 
injury 

Electronic 

"Personal Identify- 
ing Information" = 
CA plus Tribal ID 
card or Fed or state 
government issued 
ID card, but "re- 
dacted" instead of 
"encrypted” 

Redaction 
such that no 
more than 5 
digits of SSN, 
id card # or 
payment card 
# show 

No 

No 

Most expedient time 
possible & without un- 
reasonable delay unless 
reasonable & prompt 
investigation shows no 
misuse or likelihood of 
misuse of PI 

Yes 

No 

Yes, both 

No 


*"CA" = California's initial definition of “Personal Information,” which was “an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number, (2) Driver's license 
number or California Identification Card number (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." Ca. Civ. Code § 1 798.82(e). 
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